Perform semantic extension config validation in Java

api/src/main/openapi/paths/extension-points__name__extensions__name__config.yaml

@@ -90,7 +90,13 @@ put:
     "304":
       description: Not Modified
     "400":
-      $ref: "../components/responses/json-schema-validation-error.yaml"
+      description: Bad Request
+      content:
+        application/problem+json:
+          schema:
+            anyOf:
+            - $ref: "../components/schemas/json-schema-validation-problem-details.yaml"
+            - $ref: "../components/schemas/problem-details.yaml"
     "401":
       $ref: "../components/responses/generic-unauthorized-error.yaml"
     "403":

apiserver/src/main/java/org/dependencytrack/plugin/ConfigRegistryImpl.java

@@ -28,6 +28,7 @@
 import org.eclipse.microprofile.config.Config;
 import org.jspecify.annotations.Nullable;
 
+import java.util.Optional;
 import java.util.function.Function;
 
 import static java.util.Objects.requireNonNull;
@@ -67,9 +68,9 @@ public DeploymentConfig getDeploymentConfig() {
     }
 
     @Override
-    public @Nullable RuntimeConfig getRuntimeConfig() {
+    public Optional<RuntimeConfig> getOptionalRuntimeConfig() {
         if (runtimeConfigSpec == null) {
-            return null;
+            return Optional.empty();
         }
         requireNonNull(runtimeConfigMapper, "runtimeConfigMapper is not initialized");
         requireNonNull(secretResolver, "secretResolver is not initialized");
@@ -78,14 +79,20 @@ public DeploymentConfig getDeploymentConfig() {
                 handle -> handle.attach(ExtensionConfigDao.class).getConfig(
                         extensionPointName, extensionName));
         if (configJson == null) {
-            return null;
+            return Optional.empty();
         }
 
         final JsonNode configJsonNode = runtimeConfigMapper.validateJson(configJson, runtimeConfigSpec);
 
         runtimeConfigMapper.resolveSecretRefs(configJsonNode, runtimeConfigSpec, secretResolver);
 
-        return runtimeConfigMapper.convert(configJsonNode, runtimeConfigSpec.configClass());
+        final RuntimeConfig runtimeConfig = runtimeConfigMapper.convert(configJsonNode, runtimeConfigSpec.configClass());
+
+        if (runtimeConfigSpec.validator() != null) {
+            runtimeConfigSpec.validator().validate(runtimeConfig);
+        }
+
+        return Optional.of(runtimeConfig);
     }
 
     @Override

apiserver/src/main/java/org/dependencytrack/plugin/PluginManager.java

@@ -403,7 +403,7 @@ private void loadExtension(
             }
 
             LOGGER.debug("Creating runtime extension configs with defaults if necessary");
-            if (configRegistry.getRuntimeConfig() == null) {
+            if (configRegistry.getOptionalRuntimeConfig().isEmpty()) {
                 final boolean updated = configRegistry.setRuntimeConfig(defaultRuntimeConfig);
                 if (updated) {
                     LOGGER.debug("Created default runtime config");

apiserver/src/main/java/org/dependencytrack/resources/v2/ExtensionsResource.java

@@ -202,7 +202,12 @@ public Response updateExtensionConfig(
         final String configJson = Json.createObjectBuilder(request.getConfig()).build().toString();
 
         // Throws when config is invalid or secrets cannot be resolved.
-        validateConfigAndResolveSecrets(configJson, runtimeConfigSpec);
+        final JsonNode configNode = validateConfigAndResolveSecrets(configJson, runtimeConfigSpec);
+
+        final RuntimeConfig config = configMapper.convert(configNode, runtimeConfigSpec.configClass());
+        if (runtimeConfigSpec.validator() != null) {
+            runtimeConfigSpec.validator().validate(config);
+        }
 
         final boolean updated = inJdbiTransaction(
                 getAlpineRequest(),
@@ -275,6 +280,9 @@ public Response testExtension(
             final String configJson = Json.createObjectBuilder(request.getConfig()).build().toString();
             final JsonNode configNode = validateConfigAndResolveSecrets(configJson, runtimeConfigSpec);
             runtimeConfig = configMapper.convert(configNode, runtimeConfigSpec.configClass());
+            if (runtimeConfigSpec.validator() != null) {
+                runtimeConfigSpec.validator().validate(runtimeConfig);
+            }
         }
 
         final ExtensionTestResult testResult;

apiserver/src/main/java/org/dependencytrack/resources/v2/exception/InvalidRuntimeConfigExceptionMapper.java

@@ -0,0 +1,40 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.resources.v2.exception;
+
+import jakarta.ws.rs.ext.Provider;
+import org.dependencytrack.api.v2.model.ProblemDetails;
+import org.dependencytrack.plugin.api.config.InvalidRuntimeConfigException;
+
+/**
+ * @since 5.7.0
+ */
+@Provider
+public final class InvalidRuntimeConfigExceptionMapper extends ProblemDetailsExceptionMapper<InvalidRuntimeConfigException, ProblemDetails> {
+
+    @Override
+    ProblemDetails map(InvalidRuntimeConfigException exception) {
+        return ProblemDetails.builder()
+                .status(400)
+                .title("Config Validation Failed")
+                .detail(exception.getMessage())
+                .build();
+    }
+
+}

apiserver/src/main/java/org/dependencytrack/resources/v2/exception/RuntimeConfigValidationExceptionMapper.java → apiserver/src/main/java/org/dependencytrack/resources/v2/exception/RuntimeConfigSchemaValidationExceptionMapper.java

@@ -22,19 +22,19 @@
 import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.model.JsonSchemaValidationError;
 import org.dependencytrack.api.v2.model.JsonSchemaValidationProblemDetails;
-import org.dependencytrack.plugin.runtime.config.RuntimeConfigValidationException;
+import org.dependencytrack.plugin.runtime.config.RuntimeConfigSchemaValidationException;
 
 import java.util.ArrayList;
 
 /**
  * @since 5.7.0
  */
 @Provider
-public final class RuntimeConfigValidationExceptionMapper
-        extends ProblemDetailsExceptionMapper<RuntimeConfigValidationException, JsonSchemaValidationProblemDetails> {
+public final class RuntimeConfigSchemaValidationExceptionMapper
+        extends ProblemDetailsExceptionMapper<RuntimeConfigSchemaValidationException, JsonSchemaValidationProblemDetails> {
 
     @Override
-    public JsonSchemaValidationProblemDetails map(final RuntimeConfigValidationException exception) {
+    public JsonSchemaValidationProblemDetails map(final RuntimeConfigSchemaValidationException exception) {
         final var errors = new ArrayList<JsonSchemaValidationError>(exception.getValidationMessages().size());
 
         for (final ValidationMessage validationMessage : exception.getValidationMessages()) {

apiserver/src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java

@@ -479,24 +479,28 @@ void canUpdateExistingVulnerabilityTest(
                 case GITHUB -> {
                     final var configRegistry = pluginManager
                             .getMutableConfigRegistry(VulnDataSource.class, "github");
-                    final var config = configRegistry.getRuntimeConfig(GitHubVulnDataSourceConfig.class);
-                    config.setEnabled(mirrorSourceEnabled);
-                    config.setApiToken("dummy");
-                    configRegistry.setRuntimeConfig(config);
+                    configRegistry
+                            .getOptionalRuntimeConfig(GitHubVulnDataSourceConfig.class)
+                            .map(config -> config
+                                    .withEnabled(mirrorSourceEnabled)
+                                    .withApiToken("dummy"))
+                            .ifPresent(configRegistry::setRuntimeConfig);
                 }
                 case NVD -> {
                     final var configRegistry = pluginManager
                             .getMutableConfigRegistry(VulnDataSource.class, "nvd");
-                    final var config = configRegistry.getRuntimeConfig(NvdVulnDataSourceConfig.class);
-                    config.setEnabled(mirrorSourceEnabled);
-                    configRegistry.setRuntimeConfig(config);
+                    configRegistry
+                            .getOptionalRuntimeConfig(NvdVulnDataSourceConfig.class)
+                            .map(config -> config.withEnabled(mirrorSourceEnabled))
+                            .ifPresent(configRegistry::setRuntimeConfig);
                 }
                 case OSV -> {
                     final var configRegistry = pluginManager
                             .getMutableConfigRegistry(VulnDataSource.class, "osv");
-                    final var config = configRegistry.getRuntimeConfig(OsvVulnDataSourceConfig.class);
-                    config.setEnabled(mirrorSourceEnabled);
-                    configRegistry.setRuntimeConfig(config);
+                    configRegistry
+                            .getOptionalRuntimeConfig(OsvVulnDataSourceConfig.class)
+                            .map(config -> config.withEnabled(mirrorSourceEnabled))
+                            .ifPresent(configRegistry::setRuntimeConfig);
                 }
             }
 

apiserver/src/test/java/org/dependencytrack/resources/v2/ExtensionsResourceTest.java

@@ -31,6 +31,7 @@
 import org.dependencytrack.plugin.api.ExtensionPoint;
 import org.dependencytrack.plugin.api.ExtensionPointSpec;
 import org.dependencytrack.plugin.api.ExtensionTestResult;
+import org.dependencytrack.plugin.api.config.InvalidRuntimeConfigException;
 import org.dependencytrack.plugin.api.config.RuntimeConfig;
 import org.dependencytrack.plugin.api.config.RuntimeConfigSchemaSource;
 import org.dependencytrack.plugin.api.config.RuntimeConfigSpec;
@@ -309,6 +310,35 @@ void updateExtensionConfigShouldReturnBadRequestWhenInvalid() {
                 """);
     }
 
+    @Test
+    void updateExtensionConfigShouldReturnBadRequestWhenConfigValidationFails() {
+        pluginManager.loadPlugins(List.of(
+                () -> List.of(new ExtensionWithValidatorFactory())));
+
+        initializeWithPermissions(Permissions.SYSTEM_CONFIGURATION_UPDATE);
+
+        final Response response = jersey
+                .target("/extension-points/dummy/extensions/extension-with-validator/config")
+                .request()
+                .header(X_API_KEY, apiKey)
+                .put(Entity.json(/* language=JSON */ """
+                        {
+                          "config": {
+                            "outcome": "PASSED"
+                          }
+                        }
+                        """));
+        assertThat(response.getStatus()).isEqualTo(400);
+        assertThatJson(getPlainTextBody(response)).isEqualTo(/* language=JSON */ """
+                {
+                  "status": 400,
+                  "type": "about:blank",
+                  "title": "Config Validation Failed",
+                  "detail": "Boom!"
+                }
+                """);
+    }
+
     @Test
     void getExtensionConfigSchemaShouldReturnConfigSchema() {
         pluginManager.loadPlugins(List.of(
@@ -452,7 +482,7 @@ void testExtensionShouldReturnBadRequestWhenExtensionDoesNotSupportTesting() {
     }
 
     @Test
-    void testExtensionShouldReturnBadRequestWhenConfigIsInvalid() {
+    void testExtensionShouldReturnBadRequestWhenConfigSchemaValidationFails() {
         pluginManager.loadPlugins(List.of(
                 () -> List.of(new TestableExtensionFactory())));
 
@@ -489,6 +519,35 @@ void testExtensionShouldReturnBadRequestWhenConfigIsInvalid() {
                 """);
     }
 
+    @Test
+    void testExtensionShouldReturnBadRequestWhenConfigValidationFails() {
+        pluginManager.loadPlugins(List.of(
+                () -> List.of(new ExtensionWithValidatorFactory())));
+
+        initializeWithPermissions(Permissions.SYSTEM_CONFIGURATION_UPDATE);
+
+        final Response response = jersey
+                .target("/extension-points/dummy/extensions/extension-with-validator/test")
+                .request()
+                .header(X_API_KEY, apiKey)
+                .post(Entity.json(/* language=JSON */ """
+                        {
+                          "config": {
+                            "outcome": "PASSED"
+                          }
+                        }
+                        """));
+        assertThat(response.getStatus()).isEqualTo(400);
+        assertThatJson(getPlainTextBody(response)).isEqualTo(/* language=JSON */ """
+                {
+                  "status": 400,
+                  "type": "about:blank",
+                  "title": "Config Validation Failed",
+                  "detail": "Boom!"
+                }
+                """);
+    }
+
     @ExtensionPointSpec(name = "dummy", required = false)
     private interface DummyExtensionPoint extends ExtensionPoint {
     }
@@ -521,7 +580,7 @@ public int priority() {
         @Override
         public RuntimeConfigSpec runtimeConfigSpec() {
             final var defaultConfig = new DummyRuntimeConfig("test", null);
-            return new RuntimeConfigSpec(
+            return RuntimeConfigSpec.of(
                     defaultConfig,
                     new RuntimeConfigSchemaSource.Literal(/* language=JSON */ """
                             {
@@ -541,7 +600,8 @@ public RuntimeConfigSpec runtimeConfigSpec() {
                                 "requiredString"
                               ]
                             }
-                            """));
+                            """),
+                    null);
         }
 
         @Override
@@ -625,7 +685,7 @@ public ExtensionTestResult test(@Nullable RuntimeConfig runtimeConfig) {
         @Override
         public @Nullable RuntimeConfigSpec runtimeConfigSpec() {
             final var defaultConfig = new TestableRuntimeConfig(null);
-            return new RuntimeConfigSpec(
+            return RuntimeConfigSpec.of(
                     defaultConfig,
                     new RuntimeConfigSchemaSource.Literal(/* language=JSON */ """
                             {
@@ -641,7 +701,64 @@ public ExtensionTestResult test(@Nullable RuntimeConfig runtimeConfig) {
                                 }
                               }
                             }
-                            """));
+                            """),
+                    null);
+        }
+
+    }
+
+    private static class ExtensionWithValidatorFactory implements ExtensionFactory<DummyExtensionPoint> {
+
+        @Override
+        public String extensionName() {
+            return "extension-with-validator";
+        }
+
+        @Override
+        public Class<? extends DummyExtensionPoint> extensionClass() {
+            return DummyExtension.class;
+        }
+
+        @Override
+        public int priority() {
+            return 0;
+        }
+
+        @Override
+        public void init(ExtensionContext ctx) {
+        }
+
+        @Override
+        public @Nullable RuntimeConfigSpec runtimeConfigSpec() {
+            final var defaultConfig = new TestableRuntimeConfig(null);
+            return RuntimeConfigSpec.of(
+                    defaultConfig,
+                    new RuntimeConfigSchemaSource.Literal(/* language=JSON */ """
+                            {
+                              "$schema": "https://json-schema.org/draft/2020-12/schema",
+                              "type": "object",
+                              "properties": {
+                                "outcome": {
+                                  "type": "string",
+                                  "enum": [
+                                    "PASSED",
+                                    "FAILED"
+                                  ]
+                                }
+                              }
+                            }
+                            """),
+                    config -> {
+                        final var actualConfig = (TestableRuntimeConfig) config;
+                        if (actualConfig.outcome() != null) {
+                            throw new InvalidRuntimeConfigException("Boom!");
+                        }
+                    });
+        }
+
+        @Override
+        public DummyExtensionPoint create() {
+            return new DummyExtension();
         }
 
     }

notification/publishing/src/main/java/org/dependencytrack/notification/publishing/email/EmailNotificationPublisherFactory.java

@@ -66,7 +66,7 @@ public RuntimeConfigSpec ruleConfigSpec() {
                 .withSenderAddress("dependencytrack@localhost")
                 .withSubjectPrefix("[Dependency-Track]");
 
-        return new RuntimeConfigSpec(defaultConfig);
+        return RuntimeConfigSpec.of(defaultConfig);
     }
 
     @Override

notification/publishing/src/main/java/org/dependencytrack/notification/publishing/jira/JiraNotificationPublisherFactory.java

@@ -74,7 +74,7 @@ public RuntimeConfigSpec ruleConfigSpec() {
                 .withProjectKey("EXAMPLE")
                 .withTicketType("TASK");
 
-        return new RuntimeConfigSpec(defaultConfig);
+        return RuntimeConfigSpec.of(defaultConfig);
     }
 
     @Override